On Dec 17, 2007 8:11 AM, Roberts, Jon <Jon.Roberts@asurion.com> wrote:
> Alvaro Herrera pointed out that pg_read_file requires superuser access which
> these users won't have so revoking access to the function code should be
> possible.
>
> Joshua D. Drake suggested revoking pg_proc but that isn't the source code,
> it just has the definition of the functions.
>
> If it isn't a feature today, what table has the source code in it? Maybe I
> can revoke that.
the table is pg_proc. you have to revoke select rights from public
and the user of interest. be aware this will make it very difficult
for that user to do certain things in psql and (especially) pgadmin.
it works.
a better solution to this problem is to make a language wrapper for
pl/pgsql that encrypts the source on disk. afaik, no one is working on
th is. it would secure the code from remote users but not necessarily
from people logged in to the server. the pg_proc hack works ok
though.
merlin
